Skip to main content

Adobe Acrobat document signing configuration

The script automates the configuration of Adobe Acrobat DC and Acrobat Reader DC to use a DigiCert-issued AATL (Adobe Approved Trust List) certificate for document signing. It simplifies the process of assigning certificates for digital signatures, ensuring document authenticity and user trust.

The script provides the following features:

  • Identifies and assigns the newly issued DigiCert AATL certificate for digital document signing, based on the certificate’s Key Usage (KU) and Extended Key Usage (EKU) fields.

  • Performs complete X.509 trust chain validation to ensure that the selected AATL certificate is valid, trusted, and issued by a recognized certificate authority (CA).

  • Integrates seamlessly with Adobe Acrobat DC, enabling the use of the assigned AATL certificate for digital signatures and leveraging DigiCert's timestamping services to ensure long-term signature validity.

Supported operating system and application

Operating system

Application

Windows (for specific version, refer to Prerequisites)

64-bit Adobe Acrobat DC or Adobe Acrobat Reader DC

Parameters

The script does not require any parameters.

Prerequisite checks

Before proceeding with certificate configuration, the script performs several checks to ensure the environment is ready:

  • Confirms that the 64-bit Adobe Acrobat DC or Adobe Acrobat Reader DC is installed on the system.

  • Validates the X.509 trust chain of the AATL certificate to confirm that it is issued by a trusted certificate authority (CA).

  • Validates that the certificate meets the following requirements (enforced during profile creation):

    • The certificate Key Usage (KU) field must include digitalSignature and optionally Non-repudiation.

    • The certificate Extended Key Usage (EKU) field must include the following:

      • MS Document Signing (1.3.6.1.4.1.311.3.10.3.12)

      • Document Signing (1.3.6.1.5.5.7.3.36)

      • Adobe Authentic Document Trust (1.2.840.113583.1.1.5)

How it works

The script executes the following steps:

  1. Ensures that all prerequisite checks are met.

  2. Retrieves the certificate from the user's personal certificate store for configuration.

  3. Configures the following security settings in Adobe Acrobat DC (or Adobe Acrobat Reader DC):

    1. Sets the specified certificate as the default signing certificate for digital signatures.

    2. Stores the certificate issuer details of the signing certificate.

    3. Configures DigiCert's Timestamp Authority (TSA) as the timestamp server and sets it as the default for digital signatures.

    4. Configures certificate chain display and signature provider settings.

On successful execution, you can verify the following settings:

  • For the configured signer certificate, go to the top left Menu > Preferences > Signatures > Identities & Trusted Certificates.

  • For the timestamp server, go to the top left Menu > Preferences > Signatures > Document Timestamping.

Troubleshooting

Refer to Common issues for more details to help you troubleshoot issues related to system post-processing scripts.

Refer to Adobe Acrobat Document Signing Configuration for more details to help you troubleshoot issues related to Adobe Acrobat document signing configuration.

Nesta secção: